Employing software metrics, such as size and complexity, for predicting defects has been given a lot of attention over the years and proven very useful. However, the few studies looking at software architecture and vulnerabilities are limited in scope and findings. We explore the relationship between software vulnerabilities and component metrics (like code churn and cyclomatic complexity), as well as architecture coupling metrics (direct, indirect, and cyclic coupling). Our case is based on the Google Chromium project, an open source project that has not been studied for this topic yet. Our findings show a strong relationship between vulnerabilities and both component level metrics and architecture coupling metrics. 68% of the files associated with a vulnerability are cyclically coupled, compared to 43% of the non-vulnerable files. Our best regression model is a combination of low commenting, high code churn, high direct fan-out within the main cyclic group, and high direct fan-in outside of the main cyclic group.

Return on invested capital (ROIC) is a financial measure of the profitability of a firm or business unit. If it is greater than the business's cost of capital, then reinvestment of earnings increases shareholder VALUE. The ROIC also determines a maximum self-sustaining growth rate for the business in the absence of outside funding. Finally, for businesses engaged in Schumpeterian competition, innovators with an ROIC advantage can drive out their predecessors by making them unprofitable. In this fashion, relative ROIC determines an innovation's potential for 'creative destruction'.

The modern industrial firm increasingly relies on software to support its competitive position. However, the uncertain and dynamic nature of today’s global marketplace dictates that this software be continually evolved and adapted to meet new business challenges. This ability—to rapidly update, improve, remove, replace, and reimagine the software applications that underpin a firm’s competitive position—is at the heart of what has been called IT agility. Unfortunately, we have little understanding of the antecedents of IT agility, specifically with respect to the choices that a firm makes when designing its portfolio of software applications. In this paper, we explore the relationship between software portfolio architecture and IT agility. In particular, we use modular systems theory to examine how different types of coupling impact the ability to maintain, retire, and commission new software applications. We test our hypotheses with a unique longitudinal dataset from a large financial services firm. Our sample comprises information on over 2,000 software applications observed over a four-year period. We find that applications with higher levels of coupling cost more to maintain, are less likely to be retired, and are less likely to be commissioned. However, we show specific types of coupling present greater challenges than others in terms of their impact. In particular, applications that are cyclically coupled (i.e., mutually interdependent) are the most difficult to manage in terms of maintaining and updating the software portfolio. Our results suggest that IT managers have a critical design role to play in firms that seek enhanced digital agility.